SAS Compliance Solutions 7.1 Fundamentals For Consultants: Suppression
SAS Compliance Solutions 7.1 Fundamentals For Consultants: Suppression
Compliance Solutions 7.1
Fundamentals for Consultants
Suppression
Fraud & Security Intelligence ‐ Domain Delivery & Enablement
[email protected]
• Hello. Welcome to the Compliance Solutions 7.1 Fundamentals course.
sas.com
Page 1 Copy right © SAS Institute Inc. All rights reser ve d.
Course Contents
Day 1 Day 2 Day 3 Day 4
05 Queues 21 P4S
C o m pany C o nf ide ntial – Fo r I nte r na l U s e O nl y
C o py ri g ht © S AS I nst i t ute I nc . Al l r i g ht s re s e r ve d.
• This section will discuss the various ways alerts can be suppressed.
sas.com
Page 2 Copy right © SAS Institute Inc. All rights reser ve d.
Student Learning Objectives
By the end of this section you should be able to:
• Understand the various alert suppression mechanisms
• Know when to apply which
Suppression
• Configure each of these
• Explain the fuctionality and optional choices to your customer
3
C o m pany C o nf ide ntial – Fo r I nte r na l U s e O nl y
C o py ri g ht © S AS I nst i t ute I nc . Al l r i g ht s re s e r ve d.
sas.com
Page 3 Copy right © SAS Institute Inc. All rights reser ve d.
Contents
sas.com
Page 4 Copy right © SAS Institute Inc. All rights reser ve d.
What is Suppression
Suppression is
• the temporary or indefinite ignoring
• of generated and future alerts
• either based on rules or algorithms (system suppression)
• Or analyst discretion (manual suppression)
in other words
Suppression means deprioritizing the alert
Regulatory sensitive
• intrinsically sensitive topic
• will catch the attention of any regulator
• Important to explain the logic behind it.
• As suppression, in a way, negates the alert.
C o m pany C o nf ide ntial – Fo r I nte r na l U s e O nl y
C o py ri g ht © S AS I nst i t ute I nc . Al l r i g ht s re s e r ve d.
• Suppression is an important and intrinsically sensitive topic as it will catch the
attention of any regulator, potentially exposing our customers who are not well able
to explain the logic behind it. It has the interest of regulators as suppression, from a
certain viewpoint, negates the alert. Whilst the alert is still generated the system also
tags the alert as ‘further analysis not required’. One must be able to explain why
certain alerts are being suppressed and not given the same level of attention the
other alerts get.
sas.com
Page 5 Copy right © SAS Institute Inc. All rights reser ve d.
Why Suppression
There may be a business requirement to suppress certain alerts
The 2 most common reasons are:
1. The behavior is already being looked at and new (similar) alerts only repeat what
is already known from current alerts
2. The alert is (almost) certainly a false positive (but it is not desired or possible to
capture exact circumstances in a scenario)
Suppressed alerts are generated alerts …
… however are not routed to a user and do not appear in the active, workable alerts list
Instead they are given a suppressed status but can still be found with the alert target
search
The logic behind and/or reasons for suppression must be explainable to the regulator
• Suppression is an important and intrinsically sensitive topic as it will catch the
attention of any regulator, potentially exposing our customers who are not well able
to explain the logic behind it. It has the interest of regulators as suppression, from a
certain viewpoint, negates the alert. Whilst the alert is still generated the system also
tags the alert as ‘further analysis not required’. One must be able to explain why
certain alerts are being suppressed and not given the same level of attention the
other alerts get.
sas.com
Page 6 Copy right © SAS Institute Inc. All rights reser ve d.
4 Types of Suppression
In SAS AML
7
C o m pany C o nf ide ntial – Fo r I nte r na l U s e O nl y
C o py ri g ht © S AS I nst i t ute I nc . Al l r i g ht s re s e r ve d.
• C‐Analytics is Compliance Analytics
sas.com
Page 7 Copy right © SAS Institute Inc. All rights reser ve d.
Introduction
• In the AML user interface supressed alerts can still be searched on and viewed in the
target search for alerts.
• under alert status you can specifically filter on manual or system supressed alerts
• The difference between UI Suppressed and Batch Suppressed will be explained in the
upcoming slides.
• Note: reactivating suppressed alerts is not possible in 7.1, possibly re‐introduced with
hotfix 3
sas.com
Page 8 Copy right © SAS Institute Inc. All rights reser ve d.
Contents
• Let’s look into batch suppression first.
sas.com
Page 9 Copy right © SAS Institute Inc. All rights reser ve d.
Batch Suppression
Batch suppression suppresses new alerts by the system without input needed from the end user.
based on the actions of an Investigation User, or based on the Suppression_Duration_Count that
is defined for a scenario.
The fcf_suppression macro is responsible for the batch suppression process
Alerts will be given the code ‘SUE’ and appear in the suppressed alerts queue
OOTB alerts triggered by the same scenario (SCENARIO_NAME) and the same entity (PARTY_ID)
are suppressed during the time period set in the Scenario Details screen for ‘Suppression
(Calendar Days)’
Best practice is to have the number of suppression days aligned with the ‘look back period’ of a
scenario.
For scenario‐specified suppression, the initial alert is still generated as active (status = ‘ACT’) but
a suppression end date, calculated from current date + scenario suppression period, is set on the
alert; subsequent alerts for the same entity and scenario will be suppressed until the
suppression end date expires … and this will happen throughout the lifecycle of the initial alert,
so as the initial alert is closed (status = ‘CLS’) or added to case (status = ‘CLC’), the scenario
specified suppression will remain.
Company Confi d ent i al – For I nter n al U se O nl y
Cop y r i g ht © SAS I n st i t u te I n c . Al l r i g ht s reser ved .
sas.com
Page 10 Copy right © SAS Institute Inc. All rights reser ve d.
Batch Suppression: Scenario Admin
11
• In the UI, under [click] Admin > Scenario Admin > [click] in the details screen of any
scenario, there is in the [click] details tab a field [click] ‘Suppression Calendar Days’
• This sets the number of days of the period in which a new alert fired by the same
scenario for the same entity will be suppressed.
• Best practice is to align this field with the lookback period of a scenario
• We will discuss lookback period more extensively, but in a nutshell it means how
many days the scenario will look back to consider and aggregate transactions.
sas.com
Page 11 Copy right © SAS Institute Inc. All rights reser ve d.
Batch Suppression: Example
A scenario considers a lookback period of 4 business days.
It will trigger an alert when at least 3 cash deposits (CD) with a minimum of 500 USD each
occur within 4 days and a have an accumulated cash deposit value of at least 2000 USD.
The value for ‘Suppression (Calendar Days)’ in the UI is set to 4
Day 1 2 3 4 5 6 7 8 9
lookback period
lookback period
lookback period
lookback period
Lookback period
Cash Deposit 1 300 600 501 450 599 400 n/a 450 200
Cash Deposit 2 499 n/a n/a 800 n/a 200 n/a 450 n/a
Wire Transfer 1 n/a 700 600 n/a 600 100 n/a 600 500
Wire transfer 2 n/a n/a n/a n/a n/a 300 n/a n/a n/a
# CD >= 500 for that day 0 2 2 1 2 0 1 0 1
$ CD for that day 799 600 501 1250 599 600 0 900 200
# CD >= 500 during lookback 0 2 4 5 7 5 4 3 2
$ CD during lookback 799 1399 1900 3150 2950 2950 2449 2099 1650
Alert being generated N N N Y Y Y Y Y N
Alert being suppressed N N N N Y Y Y N N
12
• On day 5 there is a cash deposit of 599 and a wire transfer of 600. An alert will be
generated because all scenario conditions are still met. However, the alert will be
suppressed as the scenario and entity are the same and the initial alert is less then 4
days ago,.
• On day 6 there is a cash deposit of 400 and another one of 200 as well as 400 USD
worth of wire transfers. Even though the 2 cash deposits do not meet the scenario
condition of 500 USD each an alert is triggered nevertheless because all conditions,
including the 500 USD minimum deposit, are met in the past 4 days. However, since
the initial alert is also less tan 4 days old the alert will agim be suppressed.
• On day 7 there is no activity on the account at all. An alert is not generated because
the SAS scenarios will only run for accounts that have at least one transaction for that
day (we will discuss this in the section on scenarios). Since there is no alert, there is
no need for suppression
• On day 8 there are 2 cash deposits of under 500, 450 USD each. An alerts is being
triggered because over the past 4 days there were more tan 3 cash deposits of more
than 500 with a total value of at least 2000. This time the alert is NOT suppressed as
the last non‐suppressed alert was 5 days ago.
• On day 9 the total number of cash deposits meeting the 500 and the total cash
deposit amount for the past 4 days drop below the scenario threshold so no alert is
generated.
sas.com
Page 12 Copy right © SAS Institute Inc. All rights reser ve d.
Contents
• Now we understand Batch suppression, let’s take a look at manual suppression also
referred to as UI suppression
sas.com
Page 13 Copy right © SAS Institute Inc. All rights reser ve d.
Manual Suppression
UI suppression allows end users (analysts and investigators) to suppress new alerts from the UI
An end date to the suppression period can be set but this is optional
The new alerts for the same scenario and the same entity will be suppressed as long as the
rundate does not exceed the suppression end date, if set
The alert that is suppressed in the UI will be given the code ‘SUP’
The subsequent alerts that are being suppressed because of the UI suppression will be given
the code ‘SUE’
Alerts can be manually activated again, which means alert will get the ‘ACT’ code and the
suppression will end.
UI Suppression will ignore/override the ‘Suppressed (Business Days)’ value
sas.com
Page 14 Copy right © SAS Institute Inc. All rights reser ve d.
Manual Suppression: UI
15
• Manual suppression is set at entity entity level and applies to all active alerts for that
entity at the time of suppression.
sas.com
Page 15 Copy right © SAS Institute Inc. All rights reser ve d.
Manual Suppression: Example
A scenario considers 1 business day.
It will trigger an alert when at least 2 cash deposits (CD) with a minimum of 200 USD each
occur on a day and have a minimum total value of 500 USD.
The suppression expiration date is set to 3.
Day 1 2 3 4 5 6 7 8 9
Cash Deposit 1 300 100 600 n/a 600 200 750 600 400
Cash Deposit 2 250 0 0 800 250 0 500 500 200
Wire Transfer 1 n/a 100 0 0 0 400 500 600 500
Wire transfer 2 0 0 0 0 0 0 0 0 0
# CD >= 200 for that day 2 0 1 2 2 1 2 2 2
$ CD for that day 550 100 600 800 850 600 1250 1100 600
Init Alert status at end of day Active Suppressed Suppressed Suppressed Suppressed Reactivated Closed Suppressed Suppressed
Alert being generated Y N N Y Y Y Y Y Y
Alert being supressed N n/a n/a Y Y N N N Y
sas.com
Page 16 Copy right © SAS Institute Inc. All rights reser ve d.
Contents
• Let’s talk about the third suppression mode: whitelist suppression
sas.com
Page 17 Copy right © SAS Institute Inc. All rights reser ve d.
What are white lists?
Whitelists are lists of customers for which reporting will never be required or deemed
inappropriate. Typical examples are official government accounts, or foreign
government representatives and bodies enjoying diplomatic immunity.
The list forms the basis of suppression of any alerts against the whitelisted entity and
does not distinguish between scenarios.
FI’s typically review list of white list customers on a periodic basis to ensure they still
meet the business requirements to be “excluded” from traditionally monitoring.
In the US this materializes in the DOEP (‘designation of exempt person’) which is
documented and supported by regulators.
Company Confi d ent i al – For I nter n al U se O nl y
Cop y r i g ht © SAS I n st i t u te I n c . Al l r i g ht s reser ved .
sas.com
Page 18 Copy right © SAS Institute Inc. All rights reser ve d.
Whitelist Suppression
The fcf_whitelist_suppression maro suppresses
alerts based on one or more whitelists.
This optional macro runs after fcf_suppression and
suppresses (SUP) active (ACT) alerts that have not
been batch suppressed for parties or accounts
included in a whitelist.
These whitelists can be managed through the List
Management UI.
All alerts for an entity on the whitelist will be
suppressed
19
sas.com
Page 19 Copy right © SAS Institute Inc. All rights reser ve d.
Whitelist Suppression Macro
Example
%fcf_whitelist_suppression(
%fcf_whitelist_suppression(
inLib=,
inLib=STG_ALER,
inDS=,
inDS=suppressed_alerts,
outLib=
outLib=STG_ALER
outDS=
outDS=whitelist_suppressed_alerts outWhitelistSuppressedLib=STG_ALER,
outWhitelistSuppressedLib=,
outWhitelistSuppressedDS=only_wl_suppressed_alerts,
outWhitelistSuppressedDS=,
whitelistCategoryName=Whitelists
whitelistCategoryName=
);
);
• Out of the box the whitelist suppression macro looks at lists of the category
Whitelists, but thiscan be changed as the whitelist suppression macro code in
uncompiled.
sas.com
Page 20 Copy right © SAS Institute Inc. All rights reser ve d.
Contents
sas.com
Page 21 Copy right © SAS Institute Inc. All rights reser ve d.
Compliance Analytics Suppression
Compliance Analytics is a process that is used to automatically suppress alerts …
… which profile matches that of an organization’s historically suppressed alerts .
… by executing scoring code that can statistically suggest whether an alert is a
productive alert or a false positive.
Note: If you are installing SAS Anti‐Money Laundering for the first time, you
should not activate this feature until you have at least six months of data.
Alerts suppressed by Compliance Analytics will be given the ‘SUE’ status code
sas.com
Page 22 Copy right © SAS Institute Inc. All rights reser ve d.
The Process
Requires SAS Enterprise Miner
• The process in a nutshell
The list of alerts is fed into a analytical process to create signatures
The signatures are used to train a model, the outcome of which are classifiers:
strong indications that the alert is a false positive based on disposition history.
These classifiers are then executed against new alerts that are created by the daily
alert generation process and that are added to the daily alert signature
automatically suppressing alerts
and false positive pass‐throughs for monitoring of this fully automated process
reports are produced for analysis and review.
sas.com
Page 23 Copy right © SAS Institute Inc. All rights reser ve d.
uses modeling techniques
Reviews alert history and disposition to generate a scoring code called a
classifier
This classifier is used to score new alerts and determine the probability that the
alerts are good
Alert + its collection of variables is called the Alert Signature, which is captured
in a dataset
Dispositions of interest are enumerated and stored in
the modeling_event_description.csv file.
The historical alerts and their dispositions are put into a data set.
After the model is created, scoring code (classifier) is generated.
Business rules can be set up to allow some of the suppressed alerts to pass
through
For testing, the actual updating of the alert status to suppressed in the database
can be turned off*
sas.com
Page ‹#› Copy right © SAS Institute Inc. All rights reser ve d.
Compliance Analytics
Suppression Creating Alert Signatures
execute the fcf_ca_modeling macro against at least six months of alert data in
the Knowledge Center
The modeling run analyzes closed alerts with a status code of ‘CLS’ or ‘CLC’.
It gathers the historical data for closed account and party alerts.
It uses the modeling event descriptions in the
modeling_event_description.csv file.
the fcf_ca_ account_signature and the fcf_ca_party_signature macros create
the signatures.
fcf_ca_sum_account_trans macro and fcf_ca_sum_party_trans macro sum
transaction amounts for the alerts.
These macros also count how many transactions occurred for the alert. The
totals for each alert are appended to the corresponding signatures.
Note: Based on your customers transaction types, these macros might need to
be modified.
sas.com
Page 24 Copy right © SAS Institute Inc. All rights reser ve d.
Pass Through
To ensure that the classifiers are working properly, let a number of false positives pass through to be analyzed, either
through
1. Business rules 2. False Positive Pass‐Through Variable
setting the blInd parameter in the %fcf_ca_daily configure the pass‐through variable fppt, which is
macro to Y located in the %aml_ca_daily macro.
using the fppt variable in the %fcf_ca_daily macro or You can also configure the pass‐through variable
the fpPassthroughPct variable in the fpPassthroughPct, which is located in the
%fcf_ca_execute_classifiers macro %fcf_ca_execute_classifiers macro.
A BusinessRules.sas module is located in the The variable defaults to 5% if a value is not set.
!AMLROOT/custom/source directory. Note: After the business rules and false positive
You can write your own rules or modify the samples variable have executed, the remaining alerts that are
that are provided. marked for suppression by Compliance Analytics
The rules that you create or modify need to be remain marked as suppressed.
placed in the classifier directory.
The rules are included in and executed by the
%fcf_ca_execute_classifiers macro if the blind
variable is set to Y.
Business rules are written as SAS DATA step code.
25
sas.com
Page 25 Copy right © SAS Institute Inc. All rights reser ve d.
Creating the Report
Compliance Analytics
Suppression Compliance Analytics creates reports at the end of each batch run,
providing details about alerts that were suppressed:
alert ID
classifier score
classifier name
Risk score suppressed indicator
false positive pass‐through indicator
suppressed indicator
business rule pass‐through indicator
scenario name
These reports are located in the &AMLROOT/reports directory in the
format <report name>_&runasofdate.html. For example, a daily
report might be in the format
compliance_analytics_daily_20120422.html.
sas.com
Page 26 Copy right © SAS Institute Inc. All rights reser ve d.
Recap
27
C o m pany C o nf ide ntial – Fo r I nte r na l U s e O nl y
C o py ri g ht © S AS I nst i t ute I nc . Al l r i g ht s re s e r ve d.
• C‐Analyitcs is Compliance Analytics
sas.com
Page 27 Copy right © SAS Institute Inc. All rights reser ve d.
Thank you.
For any questions, comments or
suggestions for this training, please
contact us at [email protected]
The following persons contributed to this course:
• Thank you for watching this. If you have any questions, comments or suggestions,
please contact us at psd fcs [email protected].
sas.com
Page 28 Copy right © SAS Institute Inc. All rights reser ve d.